AMLA 2026: A Practical Preparation Checklist for FinTechs and SaaS Compliance Vendors

The EU Anti-Money Laundering Authority became operational on 1 July 2025, and while its full supervisory mandate does not take effect until 2028, 2026 is the year that determines whether FinTechs and SaaS compliance vendors are positioned to meet it. Between now and 2027, AMLA must publish 23 Level 2 and Level 3 measures, most of them due by 10 July 2026. These standards will define, at binding legal detail, how CDD is conducted, what governance structures are required, and what controls apply to crypto-asset service providers and other newly in-scope entities. Organizations that treat AMLA as a 2027 problem will find themselves compressing months of structural change into a very short window. 

{{snippets-guide}}

What AMLA Is and Why It Matters

The EU's previous AML framework was built on directives requiring national transposition, producing significant variation in how obligations were enforced across member states. 

Three interlocking instruments now replace that patchwork: the Anti-Money Laundering Authority Regulation (EU) 2024/1620, the Anti-Money Laundering Regulation (EU) 2024/1624, and the Sixth Anti-Money Laundering Directive (EU) 2024/1640, together creating a single harmonized EU-wide rulebook and a central supervisory authority. The critical distinction is that the AMLR is directly applicable; it requires no national transposition and applies identically across all 27 member states from 10 July 2027. 

For FinTechs operating across multiple EU jurisdictions, this eliminates the compliance arbitrage previously possible by selecting a more permissive home regulator. 

Who AMLA Supervises Directly

From 2028, AMLA will directly supervise 40 of the most complex high-risk financial institutions in the EU. Most FinTechs will not be among them. But this does not reduce the compliance burden. The AMLR applies to all obliged entities, and national supervisors will operate under AMLA's standards and methodologies. A FinTech that satisfies its current national supervisor may not satisfy the same supervisor once AMLA's technical standards are embedded. 

The AMLR also expands the obliged entity scope. All CASPs authorized under MiCAR are now fully within AML scope, closing the gap where some crypto businesses operated under national exemptions. Crowdfunding platforms and consumer credit providers that are not credit institutions are also newly in scope. SaaS vendors serving any of these entities should expect their customers to face increased scrutiny, creating commercial pressure to upgrade the underlying platform. 

The 2026 Timeline

By 10 July 2026, AMLA must publish guidelines on the risk variables and factors obliged entities must consider when entering business relationships, and on the elements they must account for when setting the extent of their internal policies, procedures, and controls. These will be the definitive reference for how CDD is structured and how compliance functions must be resourced. Separately, AMLA must deliver draft Regulatory Technical Standards on group-wide policies covering entities that share common ownership, management, or compliance control, directly relevant to FinTechs with multi-jurisdiction EU structures.

The consultation processes running throughout 2026 are not passive reading exercises. Draft standards are sufficient to begin gap analysis now, and responding to consultations is an opportunity to influence the final rules before they bind.

What Changes Under the AMLR

Business-Wide Risk Assessment

The AMLR introduces a mandatory, documented Business-Wide Risk Assessment. It must be kept up to date and reviewed whenever internal or external events significantly affect the ML/TF risks associated with the entity's activities, products, transactions, delivery channels, customers, or geographic zones, and must be approved by the management body. For FinTechs with dynamic product portfolios, this is not a static annual document. It requires a methodology that responds to product launches and market expansions without being rebuilt from scratch. SaaS vendors should treat BWRA management as a core product capability, not an optional module.

CDD and Sanctions Screening

The AMLR sets a harmonized EUR 10,000 threshold for occasional transactions. More significantly, obliged entities must verify the customer's identity, identify beneficial owners, understand the purpose of the business relationship, verify whether the customer is subject to targeted financial sanctions, and determine whether the customer is a politically exposed person. PEP screening and sanctions verification are formally embedded within core CDD, failing to conduct them is a CDD failure, not a separate gap. For FinTechs with automated onboarding, screening must be integrated at the point of data collection, not run as a post-processing step. 

Governance and Outsourcing

Obliged entities must maintain an internal control framework with a clear division of responsibilities proportionate to the nature and size of the business. FinTechs relying on a part-time MLRO or outsourced compliance oversight should review whether that model will satisfy the AMLR's governance requirements. On outsourcing, the AMLR significantly tightens the conditions under which outsourcing is permitted, distinguishing clearly between outsourcing of AML/CFT tasks and reliance on other obliged entities. A FinTech cannot transfer its AML obligations to a software vendor. It can use vendor tools to fulfill them, provided the oversight structure is documented and the accountability remains with the obliged entity. 

Preparation Checklist for FinTechs

Confirm obliged entity status. Verify whether the organization falls within the AMLR's expanded scope under Regulation (EU) 2024/1624. CASPs, crowdfunding platforms, and consumer credit providers not previously in scope should treat this as a priority review. The AMLR applies from 10 July 2027 regardless of transitional notices.

Conduct a gap analysis against AMLR requirements. Compare current AML policies against the AMLR text and the EBA's March 2025 consultation paper covering CDD requirements under Article 28. Monitor AMLA's consultations throughout 2026 and respond where standards directly affect your business model.

Upgrade the Business-Wide Risk Assessment. Revise the BWRA to meet the AMLR's documentation, review, and approval requirements across all product lines, payment channels, geographic markets, and customer segments. Obtain management body sign-off and ensure it is available for supervisory inspection.

Integrate PEP and sanctions screening into CDD. Screening must occur at onboarding as part of the CDD process, not as a separate periodic check. Cover the EU consolidated list, UN Security Council designations, OFAC's SDN list where US-nexus applies, and the UK OFSI list. Document every match review decision — regulators will assess not just whether screening occurred but whether results were reviewed and escalated appropriately.

Review transaction monitoring calibration. Static rule sets reviewed annually are likely to be inadequate under the AMLR's emphasis on continuous, data-driven monitoring. Monitoring must generate a documented alert trail demonstrating how anomalous patterns were identified, reviewed, and resolved.

Confirm STR workflow and FIU reporting channels. Verify that the internal suspicious transaction reporting process is functional, that the MLRO has a clear escalation path, and that the relevant FIU reporting portal is registered and actively used in each operating market.

Preparation Checklist for SaaS Compliance Vendors

Map your product's coverage against AMLR obligations. Document which obligations your platform currently helps clients discharge and which it does not. Make that mapping available to customers for their own gap analyses.

Review screening data coverage and update cadence. Ensure lists are updated at near-real-time frequency to reflect changes in sanctions designations and PEP status.

Audit your evidence generation capabilities. The challenge for regulated clients is no longer understanding requirements — it is demonstrating compliance continuously. If your platform does not produce verifiable, exportable records of each CDD decision, screening result, and monitoring alert, that is a retention risk as 2027 approaches.

Review outsourcing provisions in service agreements. The allocation of AML accountability between vendor and client must be explicitly documented and consistent with the AMLR's outsourcing rules. Customers will ask; regulators may require it.

{{snippets-case}}

The Enforcement Dimension

AMLA can impose administrative sanctions of up to 10% of annual turnover or EUR 10 million, whichever is higher. National authorities retain parallel enforcement powers, meaning a serious compliance failure can attract both AMLA-coordinated action and domestic proceedings simultaneously. Regulators are not waiting until 2027. National supervisors are already intensifying oversight in anticipation of the new framework, and early compliance investment will be viewed as good faith. 

Organizations that use 2026 as an active preparation period will enter 2027 with closed gaps and functioning systems. Those that wait will find the 2027 application date arrives before remediation is complete.

sanctions.io is a highly reliable and cost-effective solution for real-time screening. AI-powered and with an enterprise-grade API with 99.99% uptime are reasons why customers globally trust us with their compliance efforts and sanctions screening needs.

To learn more about how our sanctions, PEP, and criminal watchlist screening service can support your organisation's compliance program: Book a free Discovery Call.

We also encourage you to take advantage of our free 7-day trial to get started with your sanctions and AML screening (no credit card is required).

‍